b"  DEPARTMENT OF HOMELAND SECURITY\n\n        Office of Inspector General\n\n\n     Evaluation of DHS\xe2\x80\x99 Information Security\n          Program for Fiscal Year 2005\n\n\n\n\n       Office of Information Technology\n\nOIG-05-46                       September 2005\n\x0c                                                                        Office of Inspector General\n\n                                                                        U.S. Department of Homeland Security\n                                                                        Washington, DC 20528\n\n\n\n\n                                              Preface\n\nThe Department of Homeland Security (DHS) Office of Inspector General (OIG) was established by\nthe Homeland Security Act of 2002 (Public Law 107-296) by amendment to the Inspector General\nAct of 1978. This is one of a series of audit, inspection, and special reports prepared by our office as\npart of our DHS oversight responsibility to promote economy, effectiveness, and efficiency within\nthe department.\n\nThis report assesses the strengths and weaknesses of controls over the information security program\nand practices at DHS. It is based on interviews with employees and officials of DHS, direct\nobservations, and a review of applicable documents.\n\nThe recommendations herein have been developed to the best knowledge available to our office, and\nhave been discussed in draft with those responsible for implementation. It is our hope that this\nreport will result in more effective, efficient, and economical operations. We express our\nappreciation to all of those who contributed to the preparation of this report.\n\n\n\n\n                                              Richard L. Skinner\n                                              Inspector General\n\x0cTable of Contents/Abbreviations\n\n  Executive Summary....................................................................................................................... 1\n\n  Background .................................................................................................................................... 3\n\n  Results of Independent Evaluation ................................................................................................ 6\n\n  Recommendations ........................................................................................................................ 14\n\n  Management Comments and OIG Analysis ................................................................................ 14\n\nAppendices\n\n  Appendix A:                Purpose, Scope, and Methodology.................................................................. 16\n  Appendix B:                Management Response to Draft Report ......................................................... 18\n  Appendix C:                Digital Dashboard ........................................................................................... 20\n  Appendix D:                System Inventory and IT Security Performance ............................................. 21\n  Appendix E:                OIG Assessment of the Plan of Action and Milestones Process .................... 24\n  Appendix F:                OIG Assessment of the Certification and Accreditation Process ................... 25\n  Appendix G:                Agencywide Security Configuration Requirements ....................................... 26\n  Appendix H:                Incident Detection and Handling Procedures.................................................. 27\n  Appendix I:                Security Training Procedures.......................................................................... 28\n  Appendix J:                Major Contributors to This Report ................................................................. 29\n  Appendix K:                Report Distribut ion ......................................................................................... 30\n\nAbbreviations\n\n  ATO                        Authority to Operate\n  C&A                        Certification and Accreditation\n  CBP                        United States Customs and Border Protection\n  CIO                        Chief Information Officer\n  CIS                        United States Citizenship and Immigration Services\n  CISO                       Chief Information Security Officer\n  CSIRC                      Computer Security Incident Response Center\n  DHS                        Department of Homeland Security\n  DISA                       Defense Information Systems Agency\n  E-authentication           Electronic Authentication\n  EP&R                       Emergency Preparedness and Response\n  FIPS                       Federal Information Processing Standard\n  FISMA                      Federal Information Security Management Act\n  FLETC                      Federal Law Enforcement Training Center\n  FY                         Fiscal Year\n  IAIP                       Information Analysis and Infrastructure Protection\n\n                             Evaluation of DHS\xe2\x80\x99 Information Security Program for FY 2005\n\x0cTable of Contents/Abbreviations\n  ICE        United States Immigration and Customs Enforcement\n  ISSM       Information Systems Security Manager\n  ISSO       Information Systems Security Officer\n  IT         Information Technology\n  NIST       National Institute of Standards and Technology\n  NSA        National Security Agency\n  ODP        Office of Domestic Preparedness\n  OIG        Office of Inspector General\n  OMB        Office of Management and Budget\n  PKI        Public Key Infrastructure\n  POA&M      Plan of Action and Milestones\n  S&T        Science and Technology\n  SP         Special Publication\n  TSA        Transportation Security Administration\n  US-CERT    United States Computer Emergency Readiness Team\n  USCG       United States Coast Guard\n  USSS       United States Secret Service\n  US-VISIT   United States Visitor and Immigrant Status Indicator Technology\n\n\n\n\n             Evaluation of DHS\xe2\x80\x99 Information Security Program for FY 2005\n\x0cOIG\nDepartment of Homeland Security\nOffice of Inspector General\n\nExecutive Summary\n                              Due to the increasing threat to information systems and the highly\n                              networked nature of the federal computing environment, Congress, in\n                              conjunction with the Office of Management and Budget (OMB), requires\n                              an annual review and reporting of agencies\xe2\x80\x99 compliance with the Federal\n                              Information Security Management Act (FISMA) of 2002.1 FISMA focuses\n                              on the program management, implementation, and evaluation of the\n                              security of unclassified and national security systems. 2\n\n                              To comply with OMB\xe2\x80\x99s FISMA reporting requirements, we conducted an\n                              independent evaluation of the Department of Homeland Security\xe2\x80\x99s (DHS)\n                              information security program and practices. As part of our review, we\n                              evaluated DHS\xe2\x80\x99 processes and the progress made in implementing its\n                              agencywide information security program. In doing so, we specifically\n                              assessed DHS\xe2\x80\x99 Plan of Action and Milestones (POA&M) as well as\n                              certification and accreditation (C&A) processes. We focused our\n                              evaluation on whether DHS\xe2\x80\x99 major organizational components are\n                              aligning their information security program and practices with DHS\xe2\x80\x99\n                              agency-wide information security program.\n\n                              We performed our work at both the program and the organizational\n                              component levels. The following organizational components were\n                              included in our review: United States Customs and Border Protection\n                              (CBP), United States Citizenship and Immigration Services (CIS),\n                              Emergency Preparedness and Response (EP&R), Federal Law\n                              Enforcement Training Center (FLETC), Information Analysis and\n                              Infrastructure Protection (IAIP), United States Immigration and Customs\n                              Enforcement (ICE), DHS Management (Management), Office of Inspector\n                              General (OIG), Science and Technology (S&T), Transportation Security\n                              Administration (TSA), United States Coast Guard (USCG); and United\n1\n     FISMA is included under Title III of the E-Government Act (Public Law 107-347).\n2\n     The term \xe2\x80\x9cnational security system\xe2\x80\x9d means any information system, including any telecommunications system,\n     used or operated by an agency or by a contractor of an agency or other organization on behalf of an agency:\n    (i) The function, operation, or use of which involves intelligence activities; involves cryptographic activities\n          related to national security; involves command and control of military forces; involves equipment that is an\n          integral part of a weapon or weapons system; or is critical to the direct fulfillment of military intelligence\n          missions (excluding a system that is to be used for routine administrative and business applications, i.e.,\n          payroll, finance, logistics, and personnel management applications), or\n    (ii) is protected at all times by procedures established for information that have been specifically authorized under\n         criteria established by an Executive Order or an Act of Congress to be kept classified in the interest of national\n         defense or foreign policy.\n\n                                Evaluation of DHS\xe2\x80\x99 Information Security Program for FY 2005\n\n                                                           Page 1\n\x0c                          States Secret Service (USSS). See Appendix A for a detailed discussion\n                          of our purpose, scope, and methodology.\n\n                          DHS achieved two significant milestones that will help the department\n                          move toward managing a successful information security program. First,\n                          DHS completed a comprehensive inventory of its major applications and\n                          general support systems, including contractor and national security\n                          systems, for all organizational components. Second, DHS implemented a\n                          department-wide certification and accreditation (C&A) tool that\n                          incorporates the guidance required to adequately complete a C&A for all\n                          systems. The completion of these two tasks eliminated two factors that\n                          significantly held the department back in achieving some success in\n                          establishing its security program in the last two years.\n\n                          The Chief Information Security Officer (CISO) revised the baseline\n                          information technology (IT) security policies and procedures in the\n                          Sensitive Systems Policy Publication 4300A and its companion, the\n                          Sensitive Systems Handbook 3 ; and National Security Systems Policy\n                          Publication 4300B and its companion, the National Security Systems\n                          Handbook 4 to include updated policy on Public Key Infrastructure (PKI),\n                          wireless communication and media reuse and disposition. Other changes\n                          included mandating that the components ensure that their systems meet the\n                          requirements specified in the DHS baseline configuration guides, as well\n                          as the acceptable methods for encrypting sensitive information.\n                          Additionally, DHS issued the DHS Information Security Program Plan of\n                          Action and Milestones (POA&M) Process Guide, 5 which provides the\n                          department and components with the necessary guidance and procedures\n                          to develop, maintain, report, and mature the POA&M process. Together,\n                          these policies and procedures - if fully impleme nted by the components -\n                          should provide DHS with an effective information security program that\n                          complies with FISMA requirements.\n\n                          As we reported in our Fiscal Year (FY) 2004 FISMA evaluation, and\n                          despite several major improvements in DHS\xe2\x80\x99 information security\n                          program, DHS organizational components, through their Information\n                          Systems Security Managers (ISSM), have not completely aligned their\n                          respective information security programs with DHS\xe2\x80\x99 overall policies,\n                          procedures, and practices. For example:\n\n                          \xe2\x80\xa2     All DHS systems have not been certified and accredited.\n                          \xe2\x80\xa2     All organizational components\xe2\x80\x99 information security weaknesses are\n\n3\n  The latest versions are dated July 29, 2005.\n4\n  The latest versions are dated August 15, 2005\n5\n  Dated June 10, 2005.\n\n                              Evaluation of DHS\xe2\x80\x99 Information Security Program for FY 2005\n\n                                                       Page 2\n\x0c                                not included in a POA&M.\n                          \xe2\x80\xa2     Data in the enterprise management tool, Trusted Agent FISMA, is not\n                                complete or current.\n                          \xe2\x80\xa2     System contingency plans have not been developed or tested for all\n                                systems.\n                          \xe2\x80\xa2     FISMA metrics data, captured within Trusted Agent FISMA and used\n                                by the Chief Information Officer (CIO) to monitor component\xe2\x80\x99s\n                                security programs, is not comprehensively verified.\n\n                          While DHS has issued substantial guidance designed to create and\n                          maintain secure systems, we identified areas where agencywide\n                          information security procedures require strengthening: (1) certification\n                          and accreditation; (2) vulnerability testing and remediation; (3) penetration\n                          testing; (4) contingency plan development and testing; (5) incident\n                          detection, analysis, and reporting; (6) security configuration; and,\n                          (7) specialized security training.\n\n                          In our FY 2004 report, we identified issues to be addressed to assist DHS\n                          and its components in the implementation of its information security\n                          program. While some of these issues have been addressed, such as\n                          completing a comprehensive inventory; the majority of DHS\xe2\x80\x99 operational\n                          systems have not been certified and accredited. Further, POA&Ms have\n                          not been developed for all weaknesses. We recommend that DHS\n                          continue to consider its information security program a significant\n                          deficiency for FY 2005.\n\n                          In response to our draft report, DHS agreed and has already taken steps to\n                          implement each of our recommendations. DHS\xe2\x80\x99 response is summarized\n                          and evaluated in the body of this report and included, in its entirety, as\n                          Appendix B.\n\nBackground\n                          The E-Government Act of 2002 (Public Law 107-347) recognized the\n                          importance of information security to the economic and national security\n                          interests of the United States. 6 Title III of the E-Government Act, entitled\n                          FISMA, provides a comprehensive framework to ensure the effectiveness\n                          of security controls over information resources that support federal\n                          operations and assets.\n\n\n\n6\n Information security means protecting information and information systems from unauthorized access, use,\ndisclosure, disruption, modification, or destruction.\n\n                              Evaluation of DHS\xe2\x80\x99 Information Security Program for FY 2005\n\n                                                       Page 3\n\x0cFISMA requires each federal agency to develop, document, and\nimplement an agency-wide security program. The agency\xe2\x80\x99s security\nprogram should protect the information and the information systems that\nsupport the operations and assets of the agency, including those provided\nor managed by another agency, contractor, or other source. As specified\nin FISMA, agency heads are charged with conducting an annual\nevaluation of information programs and systems under their purview, as\nwell as assessments of related security policies and procedures. OIGs\nmust independently evaluate the effectiveness of an agency\xe2\x80\x99s information\nsecurity program and practices on an annual basis.\n\nOMB issued memorandum M-05-15, FY 2005 Reporting Instructions for\nthe Federal Information Security Management Act and Agency Privacy\nManagement, on June 13, 2005. The memorandum provides updated\ninstructions for agency and OIG reporting under FISMA. This annual\nevaluation summarizes, according to OMB\xe2\x80\x99s instructions, the results of\nour review of DHS\xe2\x80\x99 information security program and practices.\n\nDHS\xe2\x80\x99 CIO, who has oversight responsibilities for DHS\xe2\x80\x99 information\nsecurity program, has delegated to the CISO, as required under FISMA,\nthe authority to establish information security policies and procedures\nthroughout the department. DHS\xe2\x80\x99 CISO has reorganized the staff into\nthree main areas: program management, program services, and program\nperformance. These areas are essential to deliver a successful security\nprogram to protect the confidentiality, integrity, and availability of\ninformation.\n\nDHS has developed a process for reporting and capturing known security\nweaknesses in POA&Ms. DHS utilizes an enterprise management tool,\nTrusted Agent FISMA, to collect and track data related to all POA&M\nactivities, including self-assessments, and certification and accreditation\ndata. Trusted Agent FISMA also collects data on other FISMA metrics,\nsuch as the number of systems that have contingency plans, systems with\ncontingency plans tested, systems certified and accredited, employees who\nhave received IT security training, and incident response statistics. DHS\nalso uses an enterprise C&A tool, Risk Management System, to automate\nand standardize portions of the C&A process to assist DHS to quickly and\nefficiently develop security accreditation packages. See Figure 1 for an\nillustration on how the tools are used within the department to collect,\nmanage, and report information security metrics.\n\nA Security Applications Working Group was established in June 2004.\nThe group meets monthly to foster a dialogue between the CISO and the\norganizational components, to obtain the components\xe2\x80\x99 input on ways to\nimprove the FISMA data collection effort, and address issues and\n\n Evaluation of DHS\xe2\x80\x99 Information Security Program for FY 2005\n\n                          Page 4\n\x0c                          problems that relate to the use of Trusted Agent FISMA and the C&A\n                          tool.\n\n                          To manage the organizational components\xe2\x80\x99 compliance with FISMA\n                          metrics and the effectiveness of their component- level information\n                          security programs, the CISO has developed a \xe2\x80\x9cdigital dashboard,\xe2\x80\x9d which\n                          uses red, yellow, and green indicators to reflect the status of each\n                          component\xe2\x80\x99s percentage of compliance. 7 The information used to develop\n                          the digital dashboard comes from data in Trusted Agent FISMA, and from\n                          DHS\xe2\x80\x99 program directors. See Appendix C for the digital dashboard as of\n                          August 26, 2005.\n\n                          Figure 1: DHS\xe2\x80\x99 Enterprise Security Management Tools Usage\n\n                                DHS 4300                                        C&A Tool                                        Data Review Teams\n\n                            FISMA Requirements                         System Security Plan (SSP)                                     DHS\n                                                                                                                                   Compliance\n                            OMB/NIST Guidance                     Requirements Traceability Matrix (RTM)                             Review\n                                                                                                                                     Teams\n                                                                    Security Assessment Report (SAR)\n                            Other Requirements\n                                                                         Sample Test Procedures\n                                     Component IT Security                                                                            OIG\n                                     Program Implementation                    Test Results\n\n                                                                            Contingency Plans               Data Verification\n                                                 IT System                                                      and Review\n                                           Implementations                                                                         Component/\n                                                                                                                                    Domain\n                                                                                     Future Link                                     ISSM\n                                 DHS\n                              Component/\n                                                                       FISMA Reporting Tool\n                                Domain\n\n                                                                   System and Program Security Metrics\n                                               Monthly Status\n                                               Updates            Plan of Action and Milestones (POA&M)\n                                                                                                           FISMA Reports              OMB\n                                                                    Annual Assessment Questionnaire\n\n                                                                      Summary of C&A Status/Docs\n\n                                                                                 Reports\n\n                                                                            Digital Dashboard               Metrics\n                                                                                                                                     DHS\n                                                                                                            Digital Dashboard     Management\n\n\n\n                          Source: DHS Sensitive Systems Handbook, Attachment E \xe2\x80\x93 FISMA Reporting\n\n\n\n                          In addition to our independent evaluation, we conducted reviews of DHS\xe2\x80\x99\n                          information systems and security program related areas throughout\n                          FY 2005. This report includes results of a limited number of systems\n                          evaluated during our on- going financial statement review, and from\n                          on-going audits of network security, database security, and United States\n                          Visitor and Immigrant Status Indicator Technology (US-VISIT) security.\n\n\n\n\n7\n  These metrics include the percentage of systems that have been accredited, systems and applications for which an\nannual self-assessment has been completed, systems with contingency plans developed and tested, personnel\n(employees and contractors) that completed security awareness, and IT security professionals trained.\n\n                            Evaluation of DHS\xe2\x80\x99 Information Security Program for FY 2005\n\n                                                                Page 5\n\x0cResults of Independent Evaluation\nWe separated the results of our evaluation into six FISMA reporting areas. For each area we\nidentified progress that DHS has made since our FY 2004 evaluation and issues that need to be\naddressed in order to be successful in the FISMA area.\n\n                  System Inventory and IT Security Performance\n\n                           DHS has made significant progress by compiling a department-wide\n                           system inventory and issuing additional guidance to the components.\n                           However, DHS must perform self-assessments and e-authentication risk\n                           assessments on all of its systems, including contractor systems.\n\n                           PROGRESS\n\n                           \xe2\x80\xa2     DHS completed a comprehensive inventory of its major applications\n                                 and general support systems, including contractor and national security\n                                 systems. DHS identified 795 operational systems (as of\n                                 August 25, 2005). In FY 2004, DHS reported 295 systems.\n                           \xe2\x80\xa2     DHS issued guidance for: (1) identifying security categories for\n                                 information and informa tion systems (Federal Information Processing\n                                 Standard (FIPS) Publication 199) 8 ; (2) determining if an electronic\n                                 authentication (e-authentication) risk assessment is required (and the\n                                 assurance level, as appropriate); and, (3) determining if a privacy\n                                 impact assessment is required.\n                           \xe2\x80\xa2     DHS issued a draft PKI policy in April 2005 as well as a draft wireless\n                                 policy and procedures in June 2005.\n                           \xe2\x80\xa2     DHS established a policy prohibiting peer-to-peer file sharing software\n                                 on DHS computers or on any computer or information system that\n                                 might be connected to its network.\n\n                           ISSUES TO BE ADDRESSED\n\n                           \xe2\x80\xa2     Since completing its first comprehensive system inventory in August\n                                 2005, DHS has not yet developed a process that it will use to update its\n                                 inventory at least annually beginning next year.\n                           \xe2\x80\xa2     Components have not completed e-authentication risk assessments for\n                                 all systems.\n\n\n8\n  FIPS Publication 199, Standards for Security Categorization of Federal Information and Information Systems,\ndated February 2004, defines the standards all federal agencies are to use in categorizing information and\ninformation systems according to a range of risk levels impacting the confidentiality, integrity, and availability of\nthe information or information systems.\n\n                               Evaluation of DHS\xe2\x80\x99 Information Security Program for FY 2005\n\n                                                         Page 6\n\x0c                          \xe2\x80\xa2     Components have only completed National Institute of Standards and\n                                Technology (NIST) 800-26 self-assessments on 46 percent of its\n                                contractor systems (as of August 26, 2005). 9\n                          \xe2\x80\xa2     System contingency plans have not been developed or tested for all\n                                systems. For example, during our network audit, we determined that\n                                TSA and USSS had not developed a contingency plan; and, USCG had\n                                not tested its contingency plan. During our database audit, we\n                                determined that CIS, USCG, and USSS had not developed a\n                                contingency plan, while EP&R had not tested its contingency plan.\n\n                          See Attachment D for specific System Inventory and IT Security\n                          Performance data.\n\n                 OIG Assessment of the Plan of Action and Milestones Process\n\n                          While DHS has issued guidance and implemented a tool to capture and\n                          track weaknesses, improvements are needed in the components\xe2\x80\x99\n                          implementation of the POA&M process. The components are not\n                          including all IT security weaknesses in the tool nor is all of the data\n                          entered accurately.\n\n                          PROGRESS\n\n                          \xe2\x80\xa2     DHS made numerous enhancements to Trusted Agent FISMA to make\n                                it a more useful tool to manage its security program. Enhancements\n                                included additional management reports at the component and\n                                department level, computed metrics, and updates to fields in the digital\n                                dashboard and other sections to support changes in FISMA reporting.\n                          \xe2\x80\xa2     DHS issued the DHS Information Security Program Plan of Action\n                                and Milestones (POA&M) Process Guide in June 2005. The\n                                document provides the department and components the guidance and\n                                procedures for developing, maintaining, reporting, and maturing the\n                                POA&M process. See Figure 2 for the DHS POA&M process.\n                          \xe2\x80\xa2     DHS established a process to conduct monthly, high- level reviews of\n                                some of the POA&M data entered into Trusted Agent FISMA to\n                                determine if the information is complete. The results of these reviews\n                                are communicated to DHS components through various means,\n                                including \xe2\x80\x9cGet Well\xe2\x80\x9d reports and in comments accessible through the\n                                Trusted Agent FISMA Digital Dashboard.\n\n\n\n9\n Contractor systems include information systems used or operated by a contractor of an agency or other\norganization on behalf of an agency.\n\n                              Evaluation of DHS\xe2\x80\x99 Information Security Program for FY 2005\n\n                                                       Page 7\n\x0c                                              Figure 2: DHS\xe2\x80\x99 POA&M Process\n                                                                               An IT Security Weakness,\n                                                                                 Material Weakness, or\n                                                                                Significant Deficiency is\n                                                           Weakness               identified, at eithe r a\n                                                           Identified          program or a system level.                                                             ISSMs review, on a\n                                                                                                                                                               ISSM   quarterly basis, for\n                                                                                                                                                                      consistency and accuracy\n                                                                                                                                                                      within their OE\n                                                                                                                                         Quarterly\n                                                                                                                                      Reporting/Review                CISO submits quarterly\n                                                                                                                                                                      reports to OMB and\n                                                                                                                                                                      Congress\n                                  ISSOs ensure POA&M       Document\n                                  are entered into         Weakness\n                                  Trusted Agent FISMA.                                    Trusted FISMA Agent                             Annual\n                                                                                                                                      Reporting/Review\n                                                                              The OE's use the DHS Enterprise -wide tool,\n                                                                           Trusted Agent FISMA, for identifying and tracking\n                                                                                         all POA&Ms to closure.\n   The DHS CISO ensures that the agency's\n                                                                            For Sensitive Systems - The OE's document and\n          POA&M process represents a\n       prioritization of agency IT security                                 manage POA&M's using Trusted Agent FI SMA.\n      weaknesses which ensures that IT                                     For Classified, Intelligence, and National Security\n                                                            Prioritize    Systems - The OE's maintain redacted POA&M data\n    security weaknesses are addressed in a\n                                                                               within Tru sted Agent FISMA for enterprise\n       timely manner and receive, where\n       necessary, appropriate resources                                      management and oversight. Detailed POA&M\n                                                                             documentation is maintained off -line and made\n                                                                                       readily available to auditors.\n\n\n\n                                                                                   ISSOs\n                                                            POA&M                  develop, track\n                                                         Developed and             and manage\n                                                          Documented               POA&Ms for\n                                                                                   systems                           ISSMs ensure the use of Trusted Agent\n                                                                                   under their                       FISMA to develop, track, and manage the\n                                                                                   control.                  ISSM    remediation of IT system and program\n                                                                                                                     weaknesses within their OE\n\n\n\n                                                             Take\n                                                           Corrective\n                                                            Action\n\n                                                                            Repeat until all of the\n                                                                            milestones have been\n                                                                            completed for each\n                                                                            weakness.\n                   Independent review conducted\n                   by Compliance and Oversight               Track\n                   Program within the Office of the       Corrective\n                   CISO                                   Action(s) to\n                                                          Completion\n\n\n                                                                           Complete Monthly\n                                                                           Updates within Trusted\n                                                            Monthly        Agent FISMA\n                                                           Reviews of\n                                                           weaknesses\n                                                          and milestone\n                                                               data                ISSOs ensure POA&M are\n                                                                                   current as documen ted in\n                                                                                   Trusted Agent FISMA\n\nSource: POA&M Guide\n\nNote: Based on our review, the main reason for the process failure is due to the ISSMs and\nISSOs not ensuring that POA&Ms are entered and current.\n\n                                              ISSUES TO BE ADDRESSED\n\n                                              \xe2\x80\xa2       DHS\xe2\x80\x99 components have not created POA&Ms for all known\n                                                      weaknesses. As of August 22, 2005, only 35 percent of the 791\n                                                      operational applications and general support systems listed in Trusted\n                                                      Agent FISMA had POA&Ms entered. Since 68 percent of the\n                                                      operational systems do not have a completed C&A (as of\n                                                      August 26, 2005 - see Appendix C), there should be at least one\n                                                      POA&M (lack of completed C&A) for each of these systems.\n\n                                                  Evaluation of DHS\xe2\x80\x99 Information Security Program for FY 2005\n\n                                                                                      Page 8\n\x0c\xe2\x80\xa2     DHS relies on the component ISSMs and Information Systems\n      Security Officers (ISSO) to ensure that POA&M information is\n      entered, accurate, and that weaknesses listed in the POA&Ms are\n      resolved. However, based upon our analysis of data in Trusted Agent\n      FISMA as of August 22, 2005, the ISSMs and ISSOs are not\n      maintaining current information as to the progress of security\n      weakness remediation.\n           \xc3\x98 We determined that 650 of the 2,425 open POA&Ms\n             (27 percent) had estimated completion dates prior to July 22,\n             2005. Therefore, POA&Ms have not been updated in ove r a\n             month, including 40 (2 percent) that had not been updated in\n             over a year.\n           \xc3\x98 Ninety-five POA&Ms (4 percent) did not have an estimated\n             completion date entered in the system.\n           \xc3\x98 Only 370 of the 2,425 open POA&Ms (15 percent) included\n             the resources required for remediation, and almost half of those\n             (152) listed the cost of remediation as one dollar. The total\n             estimated cost of remediation for the 370 POA&Ms is\n             approximately $24.3 million. Since this amount represents\n             only a small percent of all POA&Ms, the actual cost to\n             remediate all weaknesses cannot be accurately budgeted by the\n             components or the department.\n\xe2\x80\xa2     The components have not created POA&Ms for all OIG audit report\n      findings in Trusted Agent FISMA. Of the seven components notified\n      of security weaknesses during fiscal year 2005 network, database and\n      US-VISIT audits (CBP, CIS, EP&R, TSA, USCG, USSS, and\n      US-VISIT), only EP&R had established POA&Ms for all identified\n      weaknesses.\n\xe2\x80\xa2     The CISO has not established detailed procedures to review the\n      component\xe2\x80\x99s POA&M information for accuracy, completeness, and\n      quality at least quarterly, as required by OMB. DHS plans to hire a\n      contractor to conduct component site visits, which would include\n      detailed reviews of the POA&M process, including reviewing the\n      quality and completeness of the component\xe2\x80\x99s POA&M data. The\n      methodology of the reviews has not been established.\n\xe2\x80\xa2     Based on our review of data in Trusted Agent FISMA as of August 22,\n      2005, we determined that ten components did not appropriately assign\n      security responsibilities for their respective systems. Specifically,\n      CBP, CIS, IAIP, ICE, Infrastructure, Office of Domestic Preparedness\n      (ODP), S&T, TSA, USCG, and USSS each had three or more major\n      applications or general support systems with no security personnel\n      identified in Trusted Agent FISMA - including TSA and USCG which\n\n    Evaluation of DHS\xe2\x80\x99 Information Security Program for FY 2005\n\n                             Page 9\n\x0c            each had 15 systems with no designated personnel. Further, four\n            components had designated one person as the ISSO for numerous\n            major applications or general support systems (e.g., CIS-24 systems,\n            IAIP-16 systems, USCG-144 systems, USSS-39 systems).\n\n      See Appendix E for the OIG Assessment of the POA&M Process.\n\nOIG Assessment of the Certification and Accreditation Process\n\n      DHS has implemented a departmental C&A tool. However, we\n      determined that many C&A packages did not contain all of the required\n      documents. In addition, the majority of DHS\xe2\x80\x99 systems have not been\n      certified and accredited.\n\n      PROGRESS\n\n      \xe2\x80\xa2     DHS deployed a C&A tool to establish a standard process to certify\n            and accredit IT systems. For all C&A\xe2\x80\x99s beginning in April 2005,\n            components were required to use the tool to accredit all unclassified\n            and collateral classified systems.\n      \xe2\x80\xa2     DHS issued guidance to assist components in determining system\n            impact levels in accordance with FIPS 199.\n\n      ISSUES TO BE ADDRESSED\n\n      \xe2\x80\xa2     Our review of 16 certification and accreditation packages at nine\n            components found 15 instances in which accreditation packages were\n            incomplete. Specifically, systems were accredited, although some key\n            security documents were either not prepared, in draft, or did not meet\n            all applicable OMB and National Institute of Standards and\n            Technology (NIST) guidelines. Documents include system security\n            plans, risk assessments, FIPS 199 security categorizations, privacy\n            impact assessments, e-authent ication assessments, memorandum of\n            understandings, contingency plans, and contingency plan testing.\n      \xe2\x80\xa2     Components have not defined impact levels according to FIPS 199 for\n            all systems in Trusted Agent FISMA.\n      \xe2\x80\xa2     Components have not performed privacy impact assessments for all\n            systems.\n      \xe2\x80\xa2     The CISO requires Authority to Operate (ATO) memorandums to be\n            uploaded into Trusted Agent FISMA in order for a system to be\n            counted as accredited. Our review of 215 ATO letters in Trusted\n            Agent FISMA on May 31, 2005 disclosed some were not valid.\n            Specifically, nine were Interim ATO letters, nine were\n\n          Evaluation of DHS\xe2\x80\x99 Information Security Program for FY 2005\n\n                                   Page 10\n\x0c            recommendations for ATO, eight were ATO letters for a different\n            system, two were not ATO letters, and two were blank documents.\n      \xe2\x80\xa2     As of August 26, 2005, only 32 percent of DHS\xe2\x80\x99 795 operational\n            systems have been certified and accredited.\n\n      See Appendix F for the OIG Assessment of the C&A Process.\n\nAgencywide Security Configuration Requirements\n\n      DHS has issued baseline software security configuration guides for many\n      of its systems. However, the components have not implemented security\n      configuration requirements for all systems.\n\n      PROGRESS\n\n      \xe2\x80\xa2     DHS developed agencywide security baseline configuration guides for\n            Windows 2000, Windows 2003/ XP Professional, Solaris, HP-UX,\n            Linux, Cisco Routers, and Oracle database servers in November 2004.\n      \xe2\x80\xa2     DHS requires that components ensure that the installation of hardware\n            and software products meet the requirements specified in applicable\n            DHS baseline configuration guides.\n      \xe2\x80\xa2     Several of the components included in our review have developed their\n            own baseline security configuration requirements, or incorporated\n            some of the configuration guidelines published by DHS and other\n            agencies (such as NIST, the National Security Agency [NSA], and the\n            Defense Information Systems Agency [DISA]), for at least some of\n            their applications and operating system environments. For example:\n            CBP is using many sources as a baseline to develop its policies\n            including DHS, NIST, NSA and DISA guidelines; and, USCG uses\n            DISA guidelines as a baseline for its policies.\n\n      ISSUES TO BE ADDRESSED\n\n      \xe2\x80\xa2     At the time of our review, baseline configuration guides had not been\n            developed for all hardware and software systems in use at DHS (for\n            example, Windows NT, Microsoft SQL Server database management\n            system).\n      \xe2\x80\xa2     Our review of four baseline configuration guides (Windows 2000,\n            Linux, Solaris, and Oracle) disclosed that improvements are needed\n            for three of the guides (Linux, Solaris, and Oracle) in order to properly\n            secure DHS\xe2\x80\x99 systems. While DHS issued updated guides on\n            September 1, 2005, we were unable to determine if the guides are\n            adequate.\n\n          Evaluation of DHS\xe2\x80\x99 Information Security Program for FY 2005\n\n                                   Page 11\n\x0c                            \xe2\x80\xa2     DHS policy does not require that the components use NIST\xe2\x80\x99s security\n                                  configuration checklists - NIST Special Publication (SP) 800-70 - for\n                                  systems where DHS has not developed its own baseline configuration\n                                  guides.\n                            \xe2\x80\xa2     DHS components have not implemented security configuration\n                                  requirements for all of their systems.\n                            \xe2\x80\xa2     The CIO does not have a process to determine that components have\n                                  implemented DHS baseline configurations.\n\n                            See Appendix G for information regarding DHS\xe2\x80\x99 Agencywide Security\n                            Configuration Requirements.\n\n                   Incident Detection, Handling, Reporting, and Analysis Procedures\n\n                            DHS has not improved its incident detection, handling, reporting, and\n                            analysis procedures during the last year. DHS does not have a\n                            departmental vulnerability assessment program to ensure that all systems\n                            are tested at least yearly.\n\n                            ISSUES TO BE ADDRESSED\n\n                            \xe2\x80\xa2     DHS\xe2\x80\x99 vulnerability assessment program has not been fully established.\n                                  Therefore, DHS does not have reliable measures or a baseline to assess\n                                  the results of its vulnerability scans or its penetration tests.\n                            \xe2\x80\xa2     Vulnerability assessments performed at components reviewed during\n                                  our network, database, and US-VISIT audits (CBP, CIS, EP&R, TSA,\n                                  USCG, USSS, US-VISIT) identified security concerns resulting from\n                                  inadequate password controls, patch management, and configuration\n                                  management.\n                            \xe2\x80\xa2     Some components are not reporting incidents to the DHS Computer\n                                  Security Incident Response Center (CSIRC), as required. Components\n                                  are required to submit weekly incident reports. Four components\n                                  (CBP, CIS, EP&R, FLETC) did not submit reports every week during\n                                  a ten-week period that we reviewed.\n                            \xe2\x80\xa2     DHS CSIRC does not follow-up with components that do not submit\n                                  weekly incident reports.\n                            \xe2\x80\xa2     DHS does not have detailed procedures for reporting incidents\n                                  externally to law enforcement authorities. We also reported this issue\n                                  in our FY 2004 FISMA report. 10\n\n\n10\n     Evaluation of DHS\xe2\x80\x99 Information Security Program for Fiscal Year 2004, dated September 2004 (OIG-04-41).\n\n                                Evaluation of DHS\xe2\x80\x99 Information Security Program for FY 2005\n\n                                                         Page 12\n\x0c      \xe2\x80\xa2     The department has not defined detailed procedures for the DHS\n            CSIRC to perform department-wide security incident analysis. We\n            reported a similar issue in our FY 2004 FISMA report.\n\n      See Appendix H for information regarding DHS\xe2\x80\x99 Incident Detection and\n      Handling Procedures.\n\nSecurity Training Procedures\n\n      DHS needs to improve its security awareness and security professional\n      training programs. The components have not identified all employees and\n      contractors with significant security responsibilities or the specific training\n      that is needed for these employees.\n\n      PROGRESS\n\n      \xe2\x80\xa2     DHS has established an IT Secur ity Training Working group, which\n            meets monthly and includes representatives from all components. The\n            goal of the group is to improve IT security training efforts throughout\n            the department by developing an enterprise solution for security\n            awareness and role-based training.\n      \xe2\x80\xa2     DHS\xe2\x80\x99 Director for Information Security Training, Education, and\n            Awareness conducted an assessment of each components\xe2\x80\x99 IT security\n            training program in June 2005.\n      \xe2\x80\xa2     DHS\xe2\x80\x99 Director for Information Security Training, Education, and\n            Awareness is requiring each component to develop its security\n            awareness, training, and education plan by September 1, 2005.\n\n      ISSUES TO BE ADDRESSED\n\n      \xe2\x80\xa2     DHS has not implemented a department-wide web-based IT security\n            training program to standardize security awareness training and to\n            track the completion of the training. The training program was\n            originally planned to be implemented in FY 2004 but is now projected\n            to be implemented in FY 2006.\n      \xe2\x80\xa2     Most of the components\xe2\x80\x99 IT security awareness training do not explain\n            DHS\xe2\x80\x99 policy regarding peer-to-peer file sharing.\n      \xe2\x80\xa2     DHS components have not identified all employees, including\n            contractors, with significant IT security responsibilities or been able to\n            ensure that employees in those positions have received the necessary\n            specialized security training.\n      \xe2\x80\xa2     The Department\xe2\x80\x99s Information Security Training, Education, and\n            Awareness office (Training office) does not verify or validate the\n\n          Evaluation of DHS\xe2\x80\x99 Information Security Program for FY 2005\n\n                                   Page 13\n\x0c                   training data reported by the components. The Training office relies\n                   on the component\xe2\x80\x99s ISSMs to review, summarize, and enter the\n                   training data into Trusted Agent FISMA for reporting.\n             \xe2\x80\xa2     The Training office does not enforce the requirement that all\n                   employees and contractors complete refresher security awareness\n                   training by May 31st of each year, as stated in the DHS policy.\n             \xe2\x80\xa2     As of August 2, 2005, none of the components had submitted an IT\n                   Security Awareness and IT Professional Training plan for this year. In\n                   addition, no training plans were submitted last fiscal year (DHS policy\n                   requires plans to be submitted by September 1st of each year).\n\n             See Appendix I for information regarding DHS\xe2\x80\x99 Security Training\n             Procedures.\n\n\nRecommendations\n             We recommend that the DHS CIO:\n             1. Report the DHS information security program as a significant\n                deficiency for FY 2005 in its POA&M.\n             2. Ensure that all operational systems are certified and accredited in\n                accordance with applicable OMB and NIST guidance.\n             3. Establish a process to ensure that all data in Trusted Agent FISMA,\n                including POA&Ms, is complete, accurate, and current.\n             4. Develop a process to maintain a current department-wide system\n                inventory.\n\n\nManagement Comments and OIG Analysis\n             DHS agreed with recommendation 1. DHS has developed a detailed\n             remediation plan for FY 2006 to improve its security program.\n\n             We agree that the steps that DHS has taken, and plans to take satisfy this\n             recommendation.\n\n             DHS agreed with recommendation 2. DHS deployed a C&A tool\n             department-wide in April 2005 to be used to accredit all systems.\n             Completion of accreditations of all systems is the goal of the DHS\n             Information Security Program for FY 2006.\n\n\n\n                 Evaluation of DHS\xe2\x80\x99 Information Security Program for FY 2005\n\n                                          Page 14\n\x0cWe agree that the steps DHS has taken, and plans to take satisfy this\nrecommendation.\n\nDHS agreed with recommendation 3. DHS has made over 100 upgrades\nin FY 2005 to Trusted Agent FISMA to improve the accuracy and\ncompleteness of the data. In FY 2006, DHS will identify other ways to\nimprove the review process and increase accountability at the component\nlevel.\n\nWe agree that the steps DHS has taken, and plans to take satisfy this\nrecommendation.\n\nDHS agreed with recommendation 4. DHS completed a comprehensive\ninventory in FY 2005. The department recently implemented an inventory\nchange control process, and plans on conducting periodic inventory\nupdates with each component in FY 2006.\n\nWe agree that the steps DHS has taken, and plans to take satisfy this\nrecommendation.\n\n\n\n\n Evaluation of DHS\xe2\x80\x99 Information Security Program for FY 2005\n\n                          Page 15\n\x0c              Appendix A\n              Purpose, Scope, and Methodology\n\n\n\nPurpose, Scope, and Methodology\n              The objective of this review was to determine whether DHS has developed\n              adequate and effective information security policies, procedures, and\n              practices, in compliance with FISMA. We evaluated DHS\xe2\x80\x99 progress in\n              developing, managing, and implementing its information security\n              program, too.\n\n              Our independent evaluation focused on DHS\xe2\x80\x99 information security\n              program and practices, based on the requirements outlined in FISMA, and\n              utilizing OMB Memorandum M-05-15, FY 2005 Reporting Instructions\n              for the Federal Information Security Management Act and Agency Privacy\n              Management, issued on June 13, 2005. We conducted our work at the\n              program level and at DHS\xe2\x80\x99 major organizational components (CBP, CIS,\n              FLETC, ICE, IAIP, Management, OIG, S&T, TSA, USCG, and USSS).\n\n              As part of our evaluation of DHS\xe2\x80\x99 compliance with FISMA, we assessed\n              DHS and its components\xe2\x80\x99 compliance with the security requirements\n              mandated by FISMA and other federal information systems security\n              policies, procedures, standards, and guidelines including NIST SP 800-37,\n              and FIPS 199. Specifically, we (1) used last year\xe2\x80\x99s FISMA independent\n              evaluation as a baseline for this year\xe2\x80\x99s review and assessed the progress\n              that DHS has made in resolving weaknesses previously identified; (2)\n              focused on reviewing DHS\xe2\x80\x99 POA&M process to ensure that all security\n              weaknesses are identified, tracked, and addressed; (3) reviewed policies,\n              procedures, and practices that DHS has at the program level and at the\n              organizational component level; (4) evaluated processes (i.e., system\n              inventory, C&A, security training, and incident response) DHS has\n              implemented as part of its agencywide information security program; and,\n              (5) developed our independent evaluation of DHS\xe2\x80\x99 information security\n              program.\n\n              OIG audit contractors were responsible for: reviewing the quality of the\n              C&A packages for a sample of 16 systems at nine organizational\n              components (CBP, CIS, FLETC, IAIP, ICE, Management, OIG, S&T, and\n              USCG) to ensure that all of the required documents were completed prior\n              to being accredited; and, evaluating DHS\xe2\x80\x99 major organizational\n              components progress in developing, aligning, and managing their\n              information security program and practices in compliance with DHS\xe2\x80\x99\n              agencywide information security program.\n\n              We conducted our review between April and September 2005 under the\n              authority of the Inspector General Act of 1978, as amended, and according\n              to the Quality Standards for Inspections issued by the President\xe2\x80\x99s Council\n\n\n               Evaluation of DHS\xe2\x80\x99 Information Security Program for FY 2005\n\n                                        Page 16\n\x0cAppendix A\nPurpose, Scope, and Methodology\n\n\non Integrity and Efficiency. Major OIG contributors to the review are\nidentified in Appendix J.\n\nThe principal OIG points of contact for the evaluation are Frank Deffer,\nAssistant Inspector General, Office of Information Technology at\n(202) 254-4100 and Edward G. Coleman, Director, Information Security\nAudits Division at (202) 254-5444.\n\n\n\n\n Evaluation of DHS\xe2\x80\x99 Information Security Program for FY 2005\n\n                          Page 17\n\x0cAppendix B\nManagement Response to Draft Report\n\n\n\n\n Evaluation of DHS\xe2\x80\x99 Information Security Program for FY 2005\n\n                          Page 18\n\x0cAppendix B\nManagement Response to Draft Report\n\n\n\n\n Evaluation of DHS\xe2\x80\x99 Information Security Program for FY 2005\n\n                          Page 19\n\x0c        Appendix C\n        Digital Dashboard as of August 26, 2005\n\n\n\n\n                                      Legend\nRed \xe2\x80\x93 Marginal       Yellow \xe2\x80\x93 Basic            Green \xe2\x80\x93 Mature           Clear - Undefined\n\n\n\n          Evaluation of DHS\xe2\x80\x99 Information Security Program for FY 2005\n\n                                   Page 20\n\x0c                                  Appendix D\n                                  System Inventory and IT Security Performance\n\n\n\n                                                                Question 1 and 2 \xe2\x80\x93 System Inventory and IT Security Performance\n1. As required in FISMA, the IG shall evaluate a representative subset of systems, including information systems used or operated by an agency or by a contractor of an agency or other organization on behalf of an\nagency. By FIPS 199 risk impact level (high, moderate, low, or not categorized) and by bureau, identify the number of systems reviewed in this evaluation for each classification below (a., b., and c.).\n\n                   To meet the requirement for conducting a NIST Special Publication 800-26 review, agencies can:\n                   1) Continue to use NIST Special Publication 800-26, or,\n                   2) Conduct a self-assessment against the controls found in NIST Special Publication 800-53\n\n              Agencies are responsible for ensuring the security of information systems used by a contractor of their agency or other organization on behalf of their agency, therefore, self-reporting by contractors does not meet\n              the requirements of law. Self-reporting by another Federal agency, for example, a Federal service provider, may be sufficient. Agencies and service providers have a shared responsibility for FISMA compliance.\n\n2. For each part of this question, identify actual performance in FY 05 by risk impact level and bureau, in the format provided below. From the representative subset of systems evaluated, identify the number of\nsystems, which have completed the following: have a current certification and accreditation, a contingency plan tested within the past year, and security controls tested within the past year.\n\n                                                                     Question 1                                                                                        Question 2\n                                         a.                          b.                             c.                               a.                             b.                        c.\n                                FY 05 Agency Systems          FY 05 Contractor            FY 05 Total Number of          Number of systems certified Number of systems for which    Number of systems for\n                                                                  Systems                        Systems                      and accredited          security controls have been which contingency plans\n                                                                                                                                                      tested and evaluated in the    have been tested in\n                                                                                                                                                                last year         accordance with policy and\n                                                                                                                                                                                          guidance\n                                    (a)                        (a)\nBureau       FIPS 199 Risk         Total       Number        Total       Number            (a)           Number                                                 Total\nName         Impact Level         Number       Reviewed     Number       Reviewed     Total Number       Reviewed        Total Number      Percent of Total    Number         Percent of Total    Total Number Percent of Total\nCBP         High                                   3                         1                               4                  4               100.0%             3               75.0%                 4             100.0%\n            Moderate                               2                         0                               2                  2               100.0%             2               100.0%                2             100.0%\n            Sub-total                              5                         1                               6                  6               100.0%             5               83.3%                 6            100.0%\nCIS         High                                   0                         2                               2                  2               100.0%             0                0.0%                 0              0.0%\n            Moderate                               1                         2                               3                  3               100.0%             0                0.0%                 0              0.0%\n            Sub-total                              1                         4                               5                  5               100.0%             0               0.0%                  0              0.0%\nEP&R        High                                   9                         1                               10                 3               30.0%              2               20.0%                 0              0.0%\n            Moderate                               1                         1                               2                  0                0.0%              0                0.0%                 0              0.0%\n            Sub-total                             10                         2                               12                 3               25.0%              2               16.7%                 0              0.0%\nFLETC       High                                   2                         0                               2                  2               100.0%             0                0.0%                 0              0.0%\n            Sub-total                              2                         0                               2                  2               100.0%             0               0.0%                  0              0.0%\nIAIP        High                                   1                         1                               2                  0                0.0%              0                0.0%                 0              0.0%\n            Sub-total                              1                         1                               2                  0                0.0%              0               0.0%                  0              0.0%\nICE         High                                   1                         1                               2                  2               100.0%             0                0.0%                 1             50.0%\n            Sub-total                              1                         1                               2                  2               100.0%             0               0.0%                  1             50.0%\nMGMT        High                                   1                         0                               1                  0                0.0%              0                0.0%                 1              0.0%\n            Moderate                               0                         1                               1                  1               100.0%             1               100.0%                1             100.0%\n\n\n                                                                         Evaluation of DHS\xe2\x80\x99 Information Security Program for FY 2005\n\n                                                                                                          Page 21\n\x0c                             Appendix D\n                             System Inventory and IT Security Performance\n\n\n                              (a)                  (a)\nBureau     FIPS 199 Risk      Total   Number      Total    Number           (a)      Number                                        Total\nName       Impact Level      Number   Reviewed   Number    Reviewed   Total Number   Reviewed   Total Number   Percent of Total   Number   Percent of Total   Total Number Percent of Total\n           Sub-total                      1                   1                         2            1              50.0%           1           50.0%              1            50.0%\nOIG        High                           2                   0                         2            2             100.0%           0           0.0%               0             0.0%\n           Sub-total                      2                   0                         2            2             100.0%           0           0.0%               0             0.0%\nODP        High                           1                   0                         1            1             100.0%           0           0.0%               0             0.0%\n           Sub-total                      1                   0                         1            1             100.0%           0           0.0%               0             0.0%\nS&T        High                           0                   1                         1            1             100.0%           0           0.0%               0             0.0%\n           Moderate                       1                   0                         1            1             100.0%           0           0.0%               0             0.0%\n           Sub-total                      1                   1                         2            2             100.0%           0           0.0%               0             0.0%\nTSA        High                           0                   1                         1            0              0.0%            0           0.0%               0             0.0%\n           Moderate                       0                   2                         2            0              0.0%            0           0.0%               0             0.0%\n           Not Categorized                2                   2                         4            0              0.0%            0           0.0%               0             0.0%\n           Sub-total                      2                   5                         7            0              0.0%            0           0.0%               0             0.0%\nUS-Visit   High                           0                   1                         1            1             100.0%           1          100.0%              0             0.0%\n           Moderate                       0                   1                         1            1             100.0%           1          100.0%              0             0.0%\n           Sub-total                      0                   2                         2            2             100.0%           2          100.0%              0             0.0%\nUSCG       High                           2                   1                         3            3             100.0%           1           33.3%              0             0.0%\n           Moderate                       5                   2                         7            1              14.3%           3           42.9%              0             0.0%\n           Not Categorized                4                   0                         4            2              50.0%           0           0.0%               0             0.0%\n           Sub-total                     11                   3                        14            6              42.9%           4           28.6%              0             0.0%\nUSSS       High                           3                   0                         3            3             100.0%           0           0.0%               0             0.0%\n           Moderate                       1                   0                         1            0              0.0%            1          100.0%              0             0.0%\n           Sub-total                      4                   0                         4            3              75.0%           1           25.0%              0             0.0%\nAgency\nTotals     High                          25                   10                       35            24             68.6%           7           20.0%              5             14.3%\n           Moderate                      11                   9                        20            9              45.0%           8           40.0%              3             15.0%\n           Low                            0                   0                         0            0                              0                              0\n           Not Categorized                6                   2                         8            2              25.0%           0           0.0%               0             0.0%\n                                                                                                        (b)\n           Total                         42                   21                       63          35              55.6%           15          23.8%               8            12.7%\n\nComments:\n(a) Since we are only reporting the number of systems that we reviewed, the total number and number reviewed is the same. See the CIO\xe2\x80\x99s report for the total number of systems\n    for each component.\n(b) The number of systems with a current C&A is based on an ATO letter, not on the adequacy of the documents required. As noted in Appendix F, 15 of the 16 accreditation\n    packages that the OIG reviewed were incomplete.\n\n\n\n\n                                                           Evaluation of DHS\xe2\x80\x99 Information Security Program for FY 2005\n\n                                                                                      Page 22\n\x0c                                 Appendix D\n                                 System Inventory and IT Security Performance\n\n\n                               Question 3 \xe2\x80\x93 System Inventory and IT Security Performance\nIn the format below, evaluate the agency\xe2\x80\x99s oversight of contractor systems, and agency system inventory.\n\n               The agency performs oversight and evaluation to ensure information\n               systems used or operated by a contractor of the agency or other\n               organization on behalf of the agency meet the requirements of FISMA,\n               OMB policy and NIST guidelines, national security policy, and agency\n               policy. Self-reporting of NIST Special Publication 800-26 requirements by\n               a contractor or other organization is not sufficient, however, self-reporting\n               by another Federal agency may be sufficient.                                                                                             (a)\n     3.a.                                                                                      - Rarely, for example, approximately 0-50% of the time\n               Response Categories:\n                    - Rarely, for example, approximately 0-50% of the time\n                    - Sometimes, for example, approximately 51-70% of the time\n                    - Frequently, for example, approximately 71-80% of the time\n                    - Mostly, for example, approximately 81-95% of the time\n                    - Almost Always, for example, approximately 96-100% of the time\n\n\n               The agency has developed an inventory of major information systems\n               (including major national security systems) operated by or under the\n               control of such agency, including an identification of the interfaces\n               between each such system and all other systems or networks, including\n               those not operated by or under the control of the agency.\n     3.b.                                                                                           - Approximately 96-100% complete\n               Response Categories:\n                    - Approximately 0-50% complete\n                    - Approximately 51-70% complete\n                    - Approximately 71-80% complete\n                    - Approximately 81-95% complete\n                    - Approximately 96-100% complete\n\n\n               The OIG generally agrees with the CIO on the number of agency owned\n     3.c.                                                                                                                Yes\n               systems.\n\n               The OIG generally agrees with the CIO on the number of information\n     3.d.      systems used or operated by a contractor of the agency or other                                           Yes\n               organization on behalf of the agency.\n\n               The agency inventory is maintained and updated at least annually.                                             (b)\n     3.e.                                                                                                               No\n\n\n\n     3.f.      The agency has completed system e-authentication risk assessments.                                         No\n\n\nComments:\n(a) DHS requires contractor systems to be evaluated in the same manner as agency owned systems. However, as of\n    August 26, 2005, only 46% of contractor systems have been reviewed this fiscal year.\n(b) DHS recently completed its first comprehensive system inventory. DHS has not developed a process that it will\n    use to update its system inventory beginning next year.\n\n\n\n\n                                   Evaluation of DHS\xe2\x80\x99 Information Security Program for FY 2005\n\n                                                                    Page 23\n\x0c                                   Appendix E\n                                   OIG Assessment of the POA&M Process\n\n\n\n\n                                     Question 4 \xe2\x80\x93 OIG Assessment of the POA&M Process\nThrough this question, and in the format provided below, assess whether the agency has developed, implemented, and is managing an agency wide\nplan of action and milestone (POA&M) process. Evaluate the degree to which the following statements reflect the status in your agency by choosing\nfrom the responses provided in the drop do wn menu. If appropriate or necessary, include comments in the area provided below.\n\nFor items 4a.-4.f, the response categories are as follows:\n\n      -    Rarely, for example, approximately 0-50% of the time\n      -    Sometimes, for example, approximately 51-70% of the time\n      -    Frequently, for example, approximately 71-80% of the time\n      -    Mostly, for example, approximately 81-95% of the time\n      -    Almost Always, for example, approximately 96-100% of the time\n\n\n                    The POA&M is an agency wide process, incorporating all\n                    known IT security weaknesses associated with information                                                         (a)\n       4.a.\n                    systems used or operated by the agency or by a contractor - Rarely, for example, approximately 0-50% of the time\n                    of the agency or other organization on behalf of the agency.\n\n\n                    When an IT security weakness is identified, program\n                    officials (including CIOs, if they own or operate a system)                                                             (b)\n       4.b.                                                                        - Rarely, for example, approximately 0-50% of the time\n                    develop, implement, and manage POA&Ms for their\n                    system(s).\n\n\n                    Program officials, including contractors, report to the CIO\n                                                                                                                                                  (c)\n          4.c.      on a regular basis (at least quarterly) on their remediation   - Frequently, for example, approximately 71-80% of the time\n                    progress.\n\n\n                    CIO centrally tracks, maintains, and reviews POA&M                                                                            (d)\n       4.d.                                                                        - Sometimes, for example, approximately 51-70% of the time\n                    activities on at least a quarterly basis.\n\n\n                    OIG findings are incorporated into the POA&M process.                                                                         (e)\n          4.e.                                                                     - Sometimes, for example, approximately 51-70% of the time\n\n\n                    POA&M process prioritizes IT security weaknesses to help\n          4.f.      ensure significant IT security weaknesses are addressed in a - Rarely, for example, approximately 0-50% of the time (f)\n                    timely manner and receive appropriate resources\n\n\nComments:\n(a) DHS requires all known IT security weaknesses be included in Trusted Agent FISMA. As of August 22, 2005,\n    only 35 percent of the 791 operational applications and general support systems in Trusted Agent FISMA had\n    POA&Ms. Since only 32% of the operational systems have a completed C&A (see Appendix C), there should\n    be at a minimum, at least one POA&M (lack of completed C&A) for 68% of the systems.\n(b) DHS requires components to create POA&Ms for all IT security weaknesses. However, most of the POA&Ms\n    do not contain all required information, such as resources required.\n(c) The CIO does not ensure that components update the status of their remediation progress. As of\n    August 22, 2005, 27% of open POA&Ms had an estimated completion date before July 22, 2005 (which\n    includes 2% that had not been updated in over one year).\n(d) While the CIO reports to OMB quarterly on the status of its POA&Ms, the CIO does not ensure that the\n    information in the POA&M is complete and accurate. The CIO relies on the component ISSMs to review and\n    update their POA&Ms on a monthly basis.\n(e) While the CIO requires all OIG findings be included in each component\xe2\x80\x99s POA&M, we noted OIG findings at\n    six components that were not incorporated into a POA&M.\n(f) Most of the components do not have a formal process to prioritize its POA&Ms.\n\n\n\n                                      Evaluation of DHS\xe2\x80\x99 Information Security Program for FY 2005\n\n                                                                       Page 24\n\x0c                          Appendix F\n                          OIG Assessment of the C&A Process\n\n\n                            Question 5 \xe2\x80\x93 OIG Assessment of the C&A Process\n\n OIG Assessment of the Certification and Accreditation Process. OMB is requesting IGs to provide a qualitative\n assessment of the agency\xe2\x80\x99s certification and accreditation process, including adherence to existing policy,\n guidance, and standards. Agencies shall follow NIST Special Publication 800-37, \xe2\x80\x9cGuide for the Security\n Certification and Accreditation of Federal Information Systems\xe2\x80\x9d (May, 2004) for certification and accreditation\n work initiated after May 2004. This includes use of the FIPS 199 (February, 2004), \xe2\x80\x9cStandards for Security\n Categorization of Federal Information and Information Systems,\xe2\x80\x9d to determine an impact level, as well as\n associated NIST documents used as guidance for completing risk assessments and security plans.\n\n\n\n              Assess the overall quality of the Department's\n              certification and accreditation process.\n\n              Response Categories:\n                   - Excellent                                          - Poor (a)\n                   - Good\n                   - Satisfactory\n                   - Poor\n                   - Failing\n\n\nComments:\n(a) Our review of 16 certification and accreditation packages at nine components found 15 instances in which the\n    accreditation packages were incomplete. Specifically, systems were accredited, although some key security\n    documents were either not prepared, in draft, or did not meet all applicable OMB and NIST guidelines.\n    Documents include system security plans, risk assessments, FIPS 199 security categorizations, privacy impact\n    assessments, e-authentication assessments, memorandum of understandings, contingency plans, and\n    contingency plan testing.\n    Note: The implementation of the department-wide C&A tool (required use as of April 2005) may improve the\n    quality of the C&A packages in the future.\n\n\n\n\n                            Evaluation of DHS\xe2\x80\x99 Information Security Program for FY 2005\n\n                                                      Page 25\n\x0c                          Appendix G\n                          Agencywide Security Configuration Requirements\n\n\n                    Question 6 \xe2\x80\x93 Agencywide Security Configuration Requirements\n\n                            Is there an agency wide security configuration\n            6.a.            policy?                                                             Yes\n                            Yes or No.\n    Comments: DHS has included in its agency-wide policy the requirement that all components ensure that the\n    installation of hardware and software products meet the requirements specified in applicable DHS baseline\n    configuration guides. However, DHS has not developed configuration guides for all hardware and software\n    systems being used by its components.\n                              Configuration guides are available for the products listed below. Identify which\n                              software is addressed in the agency wide security configuration policy. Indicate\n             6.b.             whether or not any agency systems run the software. In addition, approximate the\n                              extent of implementation of the security configuration policy on the systems running\n                              the software.\n\n                                                                              Approximate the extent of\n                                                                              implementation of the security\n                                                                              configuration policy on the systems\n                                                                              running the software.\n\n                                                                             Response choices include:\n                                                                             - Rarely, or, on approximately 0-50% of\n                                                                             the systems running this software\n                                                                             - Sometimes, or on approximately\n                                                                             51-70% of the systems running this\n                                                                             software\n                                                                             - Frequently, or on approximately\n          Product                                                            71-80% of the systems running this\n                                                                             software\n                                 Addressed in      Do any agency systems run - Mostly, or on approximately 81-95%\n                              agencywide policy?         this software?      of the systems running this software\n                                                                             - Almost Always, or on approximately\n                                                                             96-100% of the systems running this\n                                    Yes, No,                                 software\n                                    or N/A.                Yes or No.\nWindows XP Professional               Yes                       Yes\nWindows NT                            No                        Yes\nWindows 2000 Professional             Yes                       Yes\nWindows 2000 Server                   Yes                       Yes\nWindows 2003 Server                   Yes                       Yes\n                                                                                                (a)\nSolaris                               Yes                       Yes\nHP-UX                                 Yes                       Yes\nLinux                                 Yes                       Yes\nCisco Router IOS                      Yes                       Yes\nOracle                                Yes                       Yes\nOther. Specify:                       N/A\nComments:\n(a) While many of the components use standard configurations for some of their systems, most have not\n    implemented DHS' configuration guides that were issued in November 2004. In addition, the CIO has not\n    verified or determined whether components are using DHS standard configurations (or any other standard\n    configurations).\n\n\n\n                            Evaluation of DHS\xe2\x80\x99 Information Security Program for FY 2005\n\n                                                      Page 26\n\x0c                           Appendix H\n                           Incident Detection and Handling Procedures\n\n\n\n                     Question 7 \xe2\x80\x93 Incident Detection and Handling Procedures\n\nIndicate whether or not the following policies and procedures are in place at your agency. If appropriate or\nnecessary, include comments in the area provided below.\n\n\n          The agency follows documented policies and procedures for\n                                                                                                      (a)\n   7.a.   identifying and reporting incidents internally.                                       Yes\n          Yes or No.\n\n\n          The agency follows documented policies and procedures for external\n                                                                                                      (b)\n   7.b.   reporting to law enforcement authorities.                                             No\n          Yes or No.\n\n\n          The agency follows defined procedures for reporting to the United\n   7.c.   States Computer Emergency Readiness Team (US-CERT).                                    Yes\n          Yes or No.\n\nComments:\n(a) While DHS requires components to submit weekly incident reports, we determined that during a ten-week\n    period in 2005, four major components (CBP, CIS, EP&R, FLETC) did not submit reports every week.\n(b) We again determined that DHS has not documented detailed procedures for reporting incidents to law\n    enforcement authorities.\n\n\n\n\n                            Evaluation of DHS\xe2\x80\x99 Information Security Program for FY 2005\n\n                                                       Page 27\n\x0c                           Appendix I\n                           Security Training Procedures\n\n\n\n\n                              Question 8 \xe2\x80\x93 Security Training Procedures\n           Has the agency ensured security training and awareness of all\n           employees, including contractors and those employees with\n           significant IT security responsibilities?\n\n           Response Choices include:\n           - Rarely, or, approximately 0-50% of employees have sufficient\n           training\n            - Sometimes, or approximately 51-70% of employees have        - Mostly, or, approximately 81-95%\n           sufficient training                                            of employees have sufficient training\n            - Frequently, or approximately 71-80% of employees have\n           sufficient training\n            - Mostly, or approximately 81-95% of employees have\n           sufficient training\n            - Almost Always, or approximately 96-100% of employees have\n           sufficient training\n\n\nComments: Eight of the components reviewed have established a process to determine that all employees, including\ncontractors, receive IT security awareness training. Components have not identified all of the employees with\nsignificant IT responsibility, or have established the type of specialized training to be provided to such employees.\nThe CIO does not perform any verification of the number of employees that the components report as being trained.\n\n\n\n                              Question 9 \xe2\x80\x93 Security Training Procedures\n\n           Does the agency explain policies regarding peer-to-peer file\n           sharing in IT security awareness training, ethics training, or any\n                                                                                                No\n           other agency wide training?\n           Yes or No.\n\n\nComments: Most of the component\xe2\x80\x99s IT security awareness training materials do not explain DHS\xe2\x80\x99 policy regarding\nPeer-to-Peer file sharing risks.\n\n\n\n\n                            Evaluation of DHS\xe2\x80\x99 Information Security Program for FY 2005\n\n                                                       Page 28\n\x0cAppendix J\nMajor Contributors to this Report\n\n\n\n\nInformation Security Audit Division\n\nEdward G. Coleman, Director\nJeff Arman, Audit Manager\nPatrick Nadon, Audit Manager\nChiu-Tong Tsang, Senior IT Auditor\nJason Bakelar, Senior IT Auditor\nPedro Calderon, IT Auditor\nChris Udoji, IT Auditor\nSwati Mahajan, IT Auditor\nScott Binder, IT Auditor\nKelby Funn, IT Auditor\nCharles Twitty, Referencer\n\nAdvanced Technology Division\n\nJim Lantzy, Director\nMichael Goodman, Security Engineer\n\n\n\n\n Evaluation of DHS\xe2\x80\x99 Information Security Program for FY 2005\n\n                           Page 29\n\x0cAppendix K\nReport Distribution\n\n\n\n\nDepartment of Homeland Security\n\nSecretary\nDeputy Secretary\nChief of Staff\nGeneral Counsel\nExecutive Secretariat\nChief Information Officer\nChief Financial Officer\nChief Information Security Officer\nPublic Affairs\nLegislative Affairs\nOffice of Security\nDirector, Departmental GAO/OIG Liaison Office\nDirector, Compliance and Oversight Program\nChief Information Officer Audit Liaison\nComponent ISSMs\nComponent CIOs\n\n\nOffice of Management and Budget\n\nChief, Homeland Security Branch\nDHS OIG Budget Examiner\n\nCongress\n\nCongressional Oversight and Appropriations Committees, as appropriate\n\n\n\n\n Evaluation of DHS\xe2\x80\x99 Information Security Program for FY 2005\n\n                            Page 30\n\x0cAdditional Information and Copies\n\nTo obtain additional copies of this report, call the Office of Inspector General\n(OIG) at (202) 254-4100, fax your request to (202) 254-4285, or visit the OIG\nweb site at www.dhs.gov/oig.\n\nOIG Hotline\n\nTo report alleged fraud, waste, abuse or mismanagement, or any other kind\nof criminal or noncriminal misconduct relative to department programs or\noperations, call the OIG Hotline at 1-800-323-8603; write to DHS Office of\nInspector General/MAIL STOP 2600, Attention: Office of Investigations \xe2\x80\x93\nHotline, 245 Murray Drive, SW, Building 410, Washington, DC 20528; fax\nthe complaint to (202) 254-4292; or email DHSOIGHOTLINE@dhs.gov. The\nOIG seeks to protect the identity of each writer and caller.\n\x0c"